>From 9c7696de54380b2eb3982096fae8c1ab85704eef Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Tue, 25 Dec 2012 18:15:07 -0500 Subject: [PATCH 09/17] Updated mappings for AC-6* Updated serveral mappings for AC-6. A key distinction between AC-6 and CM-6/CM-7 is that AC-6 calls for least privilege -- e.g. file permissions -- whereas the later CM-* sections call out least functionality (e.g. only ssh can listen on port 22).
--- RHEL6/input/intro/intro.xml | 15 +++--- RHEL6/input/services/base.xml | 2 +- RHEL6/input/services/mail.xml | 5 +- RHEL6/input/services/ssh.xml | 2 +- RHEL6/input/system/accounts/physical.xml | 2 +- .../system/accounts/restrictions/root_logins.xml | 6 +- RHEL6/input/system/logging.xml | 4 +- RHEL6/input/system/permissions/execution.xml | 2 +- RHEL6/input/system/permissions/files.xml | 46 ++++++++++---------- RHEL6/input/system/permissions/mounting.xml | 4 +- RHEL6/input/system/permissions/partitions.xml | 4 +- RHEL6/input/system/selinux.xml | 4 +- RHEL6/input/system/software/integrity.xml | 2 +- 13 files changed, 49 insertions(+), 49 deletions(-) diff --git a/RHEL6/input/intro/intro.xml b/RHEL6/input/intro/intro.xml index 494eeec..c56249b 100644 --- a/RHEL6/input/intro/intro.xml +++ b/RHEL6/input/intro/intro.xml @@ -86,14 +86,15 @@ detection of problems. <title>Least Privilege</title> <description> Grant the least privilege necessary for user accounts and software to perform tasks. -For example, do not allow users except those that need administrator access to use -<tt>sudo</tt>. Another example is to limit logins on server systems to only those -administrators who need to log into them in order to perform administration tasks. -Using SELinux also follows the principle of least privilege: SELinux policy can -confine software to perform only actions on the system that are specifically allowed. -This can be far more restrictive than the actions permissible by the traditional -Unix permissions model. +For example, <tt>sudo</tt> can be implimented to limit authorization to super user +accounts on the system only to designated personnel. Another example is to limit +logins on server systems to only those administrators who need to log into them in +order to perform administration tasks. Using SELinux also follows the principle of +least privilege: SELinux policy can confine software to perform only actions on the +system that are specifically allowed. This can be far more restrictive than the +actions permissible by the traditional Unix permissions model. </description> +<refs nist="AC-6,AC-6(5)" /> </Group> </Group> diff --git a/RHEL6/input/services/base.xml b/RHEL6/input/services/base.xml index 6c040fa..ed12562 100644 --- a/RHEL6/input/services/base.xml +++ b/RHEL6/input/services/base.xml @@ -291,7 +291,7 @@ tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues.</rationale> <ident cce="TODO" /> <oval id="service_oddjobd_disabled" /> -<ref nist="AC-6, CM-6, CM-7" disa="382" /> +<ref nist="CM-6, CM-7" disa="382" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/services/mail.xml b/RHEL6/input/services/mail.xml index cd545b7..058aeda 100644 --- a/RHEL6/input/services/mail.xml +++ b/RHEL6/input/services/mail.xml @@ -117,7 +117,6 @@ privilege escalation or denial of service attacks which might compromise the mai steps to ensure that only system administrators are allowed shell access to the MTA host. </description> <!-- <ident cce="TODO:CCE" /> --> -<ref nist="AC-6, SC-2" /> </Group> <Group id="postfix_restrict_mail_spool_access"> @@ -155,7 +154,7 @@ Ensure log will be rotated as appropriate by adding or correcting the following </description> <!-- <ident cce="TODO:CCE" /> --> <oval id="postfix_logging" /> -<ref nist="AC-6, AU-2, AU-9" /> +<ref nist="AU-2, AU-9" /> </Rule> <Group id="postfix_configure_ssl_certs"> @@ -214,7 +213,7 @@ correct permissions: </description> <!-- <ident cce="TODO:CCE" /> --> <oval id="postfix_certificate_files" /> -<ref nist="AC-6, SC-12, SC-13" /> +<ref nist="SC-12, SC-13" /> </Rule> </Group><!--End <Group id="postfix_configure_ssl_certs"> --> diff --git a/RHEL6/input/services/ssh.xml b/RHEL6/input/services/ssh.xml index 4455d05..ad56317 100644 --- a/RHEL6/input/services/ssh.xml +++ b/RHEL6/input/services/ssh.xml @@ -264,7 +264,7 @@ and also allows direct attack attempts on root's password. </rationale> <ident cce="27100-7" /> <oval id="sshd_permitrootlogin_no" /> -<ref disa="770" /> +<ref nist="AC-6(2)" disa="770" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/accounts/physical.xml b/RHEL6/input/system/accounts/physical.xml index 3ed7712..7f24565 100644 --- a/RHEL6/input/system/accounts/physical.xml +++ b/RHEL6/input/system/accounts/physical.xml @@ -130,7 +130,7 @@ by configuring the bootloader password. </rationale> <ident cce="27040-5" /> <oval id="singleuser_password" /> -<ref nist="AC-6, IA-5" disa="213" /> +<ref nist="CM-7,IA-5" disa="213" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/accounts/restrictions/root_logins.xml b/RHEL6/input/system/accounts/restrictions/root_logins.xml index 3e12104..b8cdd06 100644 --- a/RHEL6/input/system/accounts/restrictions/root_logins.xml +++ b/RHEL6/input/system/accounts/restrictions/root_logins.xml @@ -59,7 +59,7 @@ using the root account. </rationale> <ident cce="26855-7" /> <oval id="securetty_root_login_console_only" /> -<ref nist="CM-6, CM-7" disa="770" /> +<ref nist="AC-6(2),CM-6, CM-7" disa="770" /> <tested by="DS" on="20121024"/> </Rule> @@ -84,7 +84,7 @@ using the root account. </rationale> <ident cce="27047-0" /> <oval id="securetty_no_serial" /> -<ref nist="AC-6" disa="770" /> +<ref nist="AC-6(2),CM-7" disa="770" /> <tested by="DS" on="20121024"/> </Rule> @@ -167,7 +167,7 @@ access to root privileges in an accountable manner. </rationale> <ident cce="26971-2" /> <oval id="accounts_no_uid_except_zero" /> -<ref nist="AC-11, CM-6, CM-7" disa="366" /> +<ref nist="AC-6,AC-11, CM-6, CM-7" disa="366" /> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/logging.xml b/RHEL6/input/system/logging.xml index a557e5a..f41ff5d 100644 --- a/RHEL6/input/system/logging.xml +++ b/RHEL6/input/system/logging.xml @@ -137,7 +137,7 @@ configuration, user authentication, and other such information. Log files should protected from unauthorized access.</rationale> <ident cce="26812-8" /> <oval id="rsyslog_files_ownership" /> -<ref nist="CM-6" disa="1314"/> +<ref nist="AC-6,CM-6" disa="1314"/> <tested by="DS" on="20121024"/> </Rule> @@ -163,7 +163,7 @@ configuration, user authentication, and other such information. Log files should protected from unauthorized access.</rationale> <ident cce="26821-9" /> <oval id="rsyslog_files_groupownership" /> -<ref nist="CM-6" disa="1314"/> +<ref nist="AC-6,CM-6" disa="1314"/> <tested by="DS" on="20121024"/> </Rule> diff --git a/RHEL6/input/system/permissions/execution.xml b/RHEL6/input/system/permissions/execution.xml index e4e2a1b..a4cd357 100644 --- a/RHEL6/input/system/permissions/execution.xml +++ b/RHEL6/input/system/permissions/execution.xml @@ -47,7 +47,7 @@ process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.</rationale> <ident cce="27031-4" /> <oval id="umask_for_daemons" value="var_umask_for_daemons"/> -<ref nist="CM-6"/> +<ref nist="AC-6,CM-6"/> </Rule> </Group> diff --git a/RHEL6/input/system/permissions/files.xml b/RHEL6/input/system/permissions/files.xml index f614569..350ef7c 100644 --- a/RHEL6/input/system/permissions/files.xml +++ b/RHEL6/input/system/permissions/files.xml @@ -28,7 +28,7 @@ to root provides the designated owner with access to sensitive information which could weaken the system security posture.</rationale> <ident cce="26947-2" /> <oval id="file_owner_etc_shadow" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -40,7 +40,7 @@ which could weaken the system security posture.</rationale> critical for system security.</rationale> <ident cce="26967-0" /> <oval id="file_groupowner_etc_shadow" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -55,7 +55,7 @@ to root provides the designated owner with access to sensitive information which could weaken the system security posture.</rationale> <ident cce="26992-8" /> <oval id="file_permissions_etc_shadow" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -67,7 +67,7 @@ which could weaken the system security posture.</rationale> on the system. Protection of this file is important for system security.</rationale> <ident cce="26822-7" /> <oval id="file_owner_etc_group" /> -<ref nist="CM-6"/> +<ref nist="AC-6,CM-6"/> <tested by="DS" on="20121026"/> </Rule> @@ -79,7 +79,7 @@ on the system. Protection of this file is important for system security.</ration on the system. Protection of this file is important for system security.</rationale> <ident cce="26930-8" /> <oval id="file_groupowner_etc_group" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -91,7 +91,7 @@ on the system. Protection of this file is important for system security.</ration on the system. Protection of this file is important for system security.</rationale> <ident cce="26954-8" /> <oval id="file_permissions_etc_group" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -103,7 +103,7 @@ on the system. Protection of this file is important for system security.</ration is critical for system security.</rationale> <ident cce="27026-4" /> <oval id="file_owner_etc_gshadow" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -115,7 +115,7 @@ is critical for system security.</rationale> is critical for system security.</rationale> <ident cce="26975-3" /> <oval id="file_groupowner_etc_gshadow" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -127,7 +127,7 @@ is critical for system security.</rationale> is critical for system security.</rationale> <ident cce="26951-4" /> <oval id="file_permissions_etc_gshadow" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -139,7 +139,7 @@ is critical for system security.</rationale> the system. Protection of this file is critical for system security.</rationale> <ident cce="26953-0" /> <oval id="file_owner_etc_passwd" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -151,7 +151,7 @@ the system. Protection of this file is critical for system security.</rationale> the system. Protection of this file is critical for system security.</rationale> <ident cce="26856-5" /> <oval id="file_groupowner_etc_passwd" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> @@ -165,7 +165,7 @@ accounts on the system and associated information, and protection of this file is critical for system security.</rationale> <ident cce="26868-0" /> <oval id="file_permissions_etc_passwd" /> -<ref nist="CM-6" disa="225"/> +<ref nist="AC-6,CM-6" disa="225"/> <tested by="DS" on="20121026"/> </Rule> </Group> @@ -208,7 +208,7 @@ run the following command for each directory <i>DIR</i> which contains shared li space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system. </rationale> -<ref disa="1499"/> +<ref nist="AC-6" disa="1499"/> <tested by="DS" on="20121026"/> </Rule> @@ -238,7 +238,7 @@ run the following command for each directory <i>DIR</i> which contains shared li space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system. </rationale> -<ref disa="1499"/> +<ref nist="AC-6" disa="1499"/> </Rule> @@ -267,7 +267,7 @@ run the following command for each directory <i>DIR</i> which contains system ex and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted. </rationale> -<ref disa="1499"/> +<ref nist="AC-6" disa="1499"/> </Rule> <Rule id="file_ownership_binary_dirs" severity="medium"> @@ -295,7 +295,7 @@ run the following command for each directory <i>DIR</i> which contains system ex and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted. </rationale> -<ref disa="1499"/> +<ref nist="AC-6" disa="1499"/> </Rule> @@ -332,7 +332,7 @@ and for directories requiring global read/write access. </rationale> <ident cce="26840-9" /> <oval id="dir_perms_world_writable_sticky_bits" /> -<ref nist="CM-6"/> +<ref nist="AC-6,CM-6"/> <tested by="swells" on="20120929"/> </Rule> @@ -355,7 +355,7 @@ configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files.</rationale> <ident cce="26910-0" /> -<ref nist="CM-6"/> +<ref nist="AC-6,CM-6"/> </Rule> <Rule id="no_unpackaged_sgid_files"> @@ -376,7 +376,7 @@ unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.</rationale> <ident cce="26769-0" /> <oval id="file_permissions_unauthorized_sgid" /> -<ref nist="CM-6"/> +<ref nist="CM-7,CM-6"/> </Rule> <Rule id="no_unpackaged_suid_files"> @@ -397,7 +397,7 @@ unprivileged users to elevate privileges. The presence of these files should be strictly controlled on the system.</rationale> <ident cce="26497-8" /> <oval id="file_permissions_unauthorized_suid" /> -<ref nist="CM-6"/> +<ref nist="CM-6,CM-7"/> </Rule> @@ -425,7 +425,7 @@ and the cause should be discovered and addressed. </rationale> <ident cce="27032-2" /> <oval id="file_permissions_unowned" /> -<ref nist="CM-6" disa="224"/> +<ref nist="AC-6,CM-6" disa="224"/> </Rule> <Rule id="no_files_unowned_by_group"> @@ -452,7 +452,7 @@ and the cause should be discovered and addressed. </rationale> <ident cce="26872-2" /> <oval id="file_permissions_ungroupowned" /> -<ref nist="CM-6" disa="224"/> +<ref nist="AC-6,CM-6" disa="224"/> </Rule> <Rule id="world_writable_files_system_ownership"> @@ -478,7 +478,7 @@ users. </rationale> <ident cce="26642-9" /> <oval id="dir_perms_world_writable_system_owned" /> -<ref nist="CM-6"/> +<ref nist="AC-6,CM-6"/> <tested by="swells" on="20120929"/> </Rule> </Group> diff --git a/RHEL6/input/system/permissions/mounting.xml b/RHEL6/input/system/permissions/mounting.xml index c1b0618..9e87286 100644 --- a/RHEL6/input/system/permissions/mounting.xml +++ b/RHEL6/input/system/permissions/mounting.xml @@ -36,7 +36,7 @@ limited for non-root users. Review the man page for <tt>pam_console</tt> for more information</rationale> <ident cce="27192-4" /> <oval id="console_device_restrict_access_desktop" /> -<ref nist="AC-6, CM-6, CM-7" /> +<ref nist="CM-6, CM-7" /> </Rule> <Rule id="console_device_restrict_access_server"> @@ -55,7 +55,7 @@ limited for non-root users. Review the man page for <tt>pam_console</tt> for more information</rationale> <ident cce="26892-0" /> <oval id="console_device_restrict_access_server" /> -<ref nist="AC-6, CM-6, CM-7" /> +<ref nist="CM-6, CM-7" /> </Rule> <Rule id="kernel_module_usb-storage_disabled"> diff --git a/RHEL6/input/system/permissions/partitions.xml b/RHEL6/input/system/permissions/partitions.xml index 10d4ea1..8333e8a 100644 --- a/RHEL6/input/system/permissions/partitions.xml +++ b/RHEL6/input/system/permissions/partitions.xml @@ -30,7 +30,7 @@ The only exception to this is chroot jails, for which it is not advised to set <tt>nodev</tt> on these filesystems.</rationale> <ident cce="27045-4" /> <oval id="mount_option_nodev_nonroot_local_partitions" /> -<ref nist="CM-6, CM-7, AC-6"/> +<ref nist="CM-6, CM-7"/> </Rule> <Rule id="mountopt_nodev_on_removable_partitions"> @@ -71,7 +71,7 @@ The output should show <tt>noexec</tt> in use. </ocil> <ident cce="27196-5" /> <oval id="mount_option_noexec_removable_partitions" value="var_removable_partition" /> -<ref nist="CM-7, MP-2" disa="87" /> +<ref nist="CM-7,MP-2" disa="87" /> </Rule> <!-- investigate: this is like obsoleted by gvfs/DeviceKit-based mounting now --> diff --git a/RHEL6/input/system/selinux.xml b/RHEL6/input/system/selinux.xml index a409ae7..6b4c253 100644 --- a/RHEL6/input/system/selinux.xml +++ b/RHEL6/input/system/selinux.xml @@ -99,7 +99,7 @@ the chances that it will remain off during system operation. </rationale> <ident cce="26956-3" /> <oval id="selinux_bootloader_notdisabled" /> -<ref nist="AC-3, CM-6" disa="22,32"/> +<ref nist="AC-3,AC-6,CM-6" disa="22,32"/> <tested by="DS" on="20121024"/> </Rule> @@ -148,7 +148,7 @@ targeted for exploitation, such as network or system services. </rationale> <ident cce="26875-5" /> <oval id="selinux_policytype" value="var_selinux_policy_name"/> -<ref nist="AC-4,CM-6" disa="22,32"/> +<ref nist="AC-3,AC-4,AC-6,CM-6" disa="22,32"/> <tested by="DS" on="20121024"/> </Rule> </Group> diff --git a/RHEL6/input/system/software/integrity.xml b/RHEL6/input/system/software/integrity.xml index e1308f6..1258b0f 100644 --- a/RHEL6/input/system/software/integrity.xml +++ b/RHEL6/input/system/software/integrity.xml @@ -161,7 +161,7 @@ The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated.</rationale> <ident cce="26731-0" /> <oval id="rpm_verify_permissions" /> -<ref nist="CM-6" disa="1493,1494,1495" /> +<ref nist="AC-6,CM-6" disa="1493,1494,1495" /> </Rule> <Rule id="rpm_verify_hashes"> -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
